'Dexter' Directly Attacks Point-of-Sale Systems

Point-of-sale (PoS) systems at major retailers, hotel chains, and restaurants worldwide have been hit by new custom malware that targets the PoS.

Researchers at Seculert, who discovered the so-called "Dexter" malware, won't name names of the companies with the 200 to 300 active attacks against their PoS systems across 40 countries. Remote malware attacks against PoS systems aren't new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines.

Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.

Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with "bugs" that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It's unclear whether that attack is at all related to Dexter, however.

"We cannot comment on specific victims of the attack," says Aviv Raff, CTO at Seculert. "I can say that there are different retailers that were part of the victim list. The main idea was to see that there are attacks against such PoS systems that can be easily used to take Track 1 and Track 2 data and use that information to clone credit cards," Raff says.

This approach is actually simpler and less risky than affixing a skimmer to the PIN pad devices, he says. "The problem with a skimmer is you have to go there physically to install it. It's easier to remotely be able to hit such systems and get the same results," Raff says.

Most of the victim businesses are English-speaking, with 42 percent based in North America, and 19 percent in the U.K. The attackers behind this custom-built malware appear to speak fluent English, according to Seculert's Raff, and don't appear to be the typical Eastern European cybercrime gang. "All of the tools" they used are in English, he says.

Dexter works like this: It searches the process list in the operating system for PoS software. "It sends out memory dumps to the command-and-control server, and searches for Track 1 and Track 2 data. These track formats have very unique [markers] so they are easy to find within memory," Raff says.
Some 30 percent of the targeted PoS systems were running Windows Server. Because that's not a typical OS for browsing, the initial infections were likely via drive-by Web downloads or other Web-based attacks, Raff notes. The initial infection vector remains unknown, he says.

Researchers at Trusteer in April
spotted a remote access Trojan (RAT) tool for sale for $280 in underground forums that targets hotel computers at a global hotel chain. The RAT infects hotel front-desk computers with spyware that lifts customer payment information: It spreads via spear-phishing emails or instant messages, as well as via drive by downloads.

"As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised," said Amit Klein, Trusteer CTO, in a blog post about the RAT.

But Dexter -- which Seculert named after a string of code found in one of the malware files -- is different than the RAT-for-sale. "It's not being sold in underground forums, and it's custom-made by a specific attacking group," Seculert's Raff says.

Dexter also uses an online tool to parse the payment card information, a stealthier approach. "Usually, malware tries to do that on the device, but that sometimes makes it easier for security solutions to identify it as an attack," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Thissounds like one nasty little malware. There is a lot of sensitivedata that is kept on POS systems. Companies keep all sorts ofcustomer information in their databases. Take for example a cardealerships point of view contains license, plate, dmv info, creditinfo., and purchase history. That just saved an awful lot of timethat would have had to been gotten through social engineering andresearch. 40 countries are feeling the effects I can't imagine thatthis will be as much of a that in the near future.

There's an easy approach for this that many merchants are already using with great success - details below. In a nutshell, never let the POS see the cardholder data, but do it in such as way that the POS doesn't have to change and can still use the protected data.

Seems to me to be fairly easy to mitigate. Keep the POS terminals off the internet. Run their outbound-átraffic through a central proxy and 'whitelist' the websites they can access. Close down all the other egress ports. If the malware can't check into the C&C server, this attack is largely unsuccessful. Too bad we don't know the initial infection mechanism yet, although I'll wager it's-áa phishing email.

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.

There have been numerous attacks on POS systems over the years, and the technology doesn't seem to have become a lot more secure. Any readers out there hear of good solutions for securing POS?--Tim Wilson, editor, Dark Reading

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.